Protect Your Business from Cyber Risk

John P. Mello -- Expert Business Source, 4/20/2007 6:39:00 AM

Computers, computer networks and the Internet have opened up a new universe of opportunity for small businesses, but they’ve also popped the lock on a Pandora’s box of risk – most of it uncovered by traditional insurance policies.

What are some of those risks? They include:

• Copyright and patent infringement
• Libel, slander and defamation
• Data sabotage
• Lost information assets
• Violation of privacy rights
• Network security failures
• Cyber-extortion
• Damages from viruses, worms and Trojans
• Contractual liability from service-level agreements

“The carriers have, over the last five years, rewritten their policy language so that you’re not going to get coverage for cyber items under a traditional commercial insurance policy,” asserts Julie K. Davis, executive vice president and managing director of the Wired for Growth program of Aon, a risk management, reinsurance and human capital consulting company in San Jose, Calif.

While some small businesses may wish to roll the dice and forgo cyber insurance, other companies won’t have that option, according to Davis. “If a small business wants to do business with someone, oftentimes they’ll have to produce a certificate of insurance certifying they have certain cyber coverages in place,” she maintains.

According to insurance experts, small businesses typically buy cyber policies covering $1 million to $5 million in damages. Deductibles range from $2,500 to $25,000; premiums, $2,500 to $15,000 annually. Factors affecting premium amounts include a business’s industry, the type of risks it’s exposed to and whether a policy includes “third party” coverage of a customer or supplier, for instance. Premiums for policies with third-party coverage may be twice as high as those that cover just the policyholder.

In the last 12 months, the emphasis of the coverage has changed, as more states adopt laws requiring public disclosure of data security breaches, according to Toby Merrill, assistant vice president of ACE Professional Risk in Philadelphia. In 2003, only California had such a law; today, 35 states have them and more are expected to enact similar legislation. A company experiencing a data breach may have to assume a whole host of costs connected to these notification laws, including:

• Postage and printing for notices and ancillary material
• Advertising in newspapers and on websites
• Credit monitoring services for affected parties
• Public relations to manage spin on the breach

For business owners unschooled in cyber insurance, new liability policies can be baffling. “In this area, there’s pretty much no standardization,” contends Pamela A. Eudowe, a senior account executive with Tennant Risk Services in Hartford, Conn. “No two policies are alike, as they would be when buying general liability or automobile insurance.”

What should small business owners take into consideration when determining if cyber liability insurance is for them? Here are some recommendations from the experts:

• Prioritize risks most important to you.
• Determine if you need third-party exposure
• Check the breadth of the exposures covered by the policy. For example, do the privacy protections extend beyond network breeches to other things such as stolen laptops or misplaced flash drives?
• Check who the policy covers. Employee as well as customer data should be protected.
• Ascertain if the cost of regulatory actions are covered. Those actions can occur well before any legal action is taken regarding a breech and can result in legal costs and escrow payments.

John Mello is a freelance business and technology writer.